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Executive  Summary 

Domain  parking  is  the  practice  of  assigning  a  nonsense  address  to  a  domain  when  it 
is  not  in  use  in  order  to  keep  it  ready  for  “live”  use.  This  practice  is  peculiar  because 
it  indicates  someone  has  administrative  control  over  the  domain  name,  does  not 
have  hardware  ready  to  respond  to  requests,  but  wants  the  domain  to  appear  active. 
A  more  appropriate  response  would  seem  to  us  to  be  that  the  domain  does  not  exist. 
This  mismatch  between  expected  benign  behavior  (no  such  domain)  and  actual 
observed  behavior  (parking)  made  us  suspicious.  In  this  paper  we  discuss  scalable 
detection  methods  for  domain  names  parking  on  reserved  IP  address  space,  and 
then  using  this  data  set  evaluate  whether  this  behavior  appears  to  be  indicative  of 
malicious  behavior. 

We  find  that  during  the  month  of  January  2014  only  21,328  unique  domains 
exhibited  parking  on  reserved  address  space,  out  of  over  610  million  total  unique 
observed  domains.  Thus,  parking  appears  to  be  an  uncommon  Internet  behavior 
with  only  0.0035%  of  domains  exhibiting  parking  on  reserved  IP  addresses.  Of 
these  21,328  domains,  relatively  few  were  observed  listed  on  any  of  16  domain 
black  lists  any  time  from  January  1  to  February  28,  2014.  Only  1,563,  or  7.3%, 
were  listed  in  this  time  period.  Therefore,  we  conclude  that  parking  is  a  poor 
indicator  of  malicious  activity,  or  at  least  not  an  indicator  of  any  kind  of  malicious 
activity  usually  examined  by  any  public  list  of  malicious  domain  behavior. 
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1  Introduction 

When  a  domain  is  “parked”  on  an  IP  address,  the  IP  address  to  which  the  domain 
resolves  is  inactive  or  otherwise  not  owned  by  the  domain  owner.  This  is  a  common 
practice  when  a  user  first  registers  a  domain  -  the  registrar  does  not  know  what  IP 
to  supply  as  an  answer,  but  supplying  some  answer  prevents  errors. 

The  domain  name  system  permits  a  variety  of  different  mechanisms  which  help 
provide  resiliency  to  distributed  architectures.  Often  these  have  legitimate  uses, 
but  malicious  actors  are  equally  able  to  adopt  successful  techniques.  Usually  the 
malicious  use  case  is  sufficiently  different  that  the  type  of  use  can  be  teased  apart. 
Suspicious  domain  name  parking  is  no  different;  herein  we  present  a  method  for 
finding  it  in  historical  passive  DNS  data. 

Malicious  actors  seem  to  have  adopted  this  technique  for  similar  error  suppres¬ 
sion  goals  as  the  benign  use  case.  Although  it  is  suppression  of  different  errors, 
such  as  evading  detection  before  the  number  of  infected  machines  reaches  the  de¬ 
sired  number  or  while  the  command  and  control  structure  is  not  yet  in  place.  We 
present  a  method  for  detection  of  domains  that  exhibit  parking  and  a  mechanism 
for  distinguishing  legitimate  from  suspicious  use. 

This  parking  destination,  reserved  IP  space,  is  quite  different  from  parking  a 
domain  on  someone  else’s  IP  space.  To  our  knowledge,  there  has  been  one  study 
on  parking  domains  for  illicit  ad  revenue,  which  appeal's  to  happen  on  a  large  scale 
of  4  million  domains  [1],  However,  from  the  authors’  description  this  appeal's  to 
be  more  like  typosquatting  (as  described  in  Szurdi  et.  al.  [2])  than  resolution  error 
suppression,  as  the  authors  describe  the  “dark  side  of  domain  parking”  as  mone¬ 
tized  “whenever  web  users  type  in  those  domain  names  (probably  accidentally)  in 
the  browser’s  address  bar,  the  parking  service  resolves  the  domains  to  advertise¬ 
ment  laden  pages”  [1,  p.  1].  We  are  not  aware  of  other  studies  of  domain  parking, 
except  that  some  fast-flux  identification  algorithm  studies  cited  domain  parking  as 
an  obstacle  [3,  4], 

Parking  on  reserved  IP  space  is  sufficiently  uncommon  that  it  is  somewhat 
difficult  to  find,  at  only  0.0035%  of  unique  domains  observed.  This  difficulty  is 
not  so  much  because  it  is  infrequent  but  that  the  IP  addresses  commonly  used  for 
parking,  such  as  the  127.0.0.0/8  block  or  those  reserved  in  RFC  1918  [5]  are  also 
used  for  several  other  more  common  uses  of  the  DNS,  such  as  delivering  real-time 
DNS  black  list  results  [6].  This  introduces  noise  into  any  detection  technique  since 
it  is  not  so  simple  as  just  finding  domains  that  pointed  to  reserved  address  space  at 
some  time  and  then  changed. 
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CIDR  block 

Justification 

10.0.0.0/8 

RFC  1918  [5] 

127.0.0.0/8 

RFC  1700  [9] 

169.254.64.0/18 

RFC  3927  [10] 

172.16.0.0/12 

RFC  1918  [5] 

192.168.0.0/16 

RFC  1918  [5] 

Table  1 :  Private  IP  address  space 


2  Method 

The  main  prerequisite  for  our  method  is  a  large  source  of  passive  DNS  trace  data.  In 
order  to  calculate  over  large  data  volumes,  we  take  several  simplifying  steps.  Data 
is  ingest  in  nmsgtool  format  [7],  including  source  DNS  server  and  precise  time 
range  the  response  was  valid,  at  a  rate  of  about  35  GB  per  day.  Unique  resource 
record  sets  (RRsets)  are  extracted  from  the  DNS  messages  and  extraneous  fields 
arc  removed,  leaving  just  the  fields  for  rname,  TTL,  type,  and  rdata  [8],  A  list 
of  unique  RRsets  per  day  based  on  these  fields  is  approximately  2  GB  in  our  data 
source. 

Then,  we  load  the  RRsets  with  type  of  A  (IPv4  answer)  for  January  2014  into 
a  PostgreSQL  database.  The  table  has  fields  for  the  four  RRset  fields  as  well  as  day 
observed.  Since  RRsets  arc  unique  per  day,  if  an  identical  RRset  was  observed  on 
multiple  days  it  will  appeal-  in  the  database  for  each  day  observed.  This  structure 
permits  a  course-grained  time  series  view  with  enough  data  to  detect  patterns  but 
enough  summarization  that  calculation  is  practical. 

In  order  to  start  our  search  for  parking  on  private  IP  address  space,  we  query  the 
database  for  all  RRsets  where  the  rdata  is  in  the  IP  set  indicated  in  Table  1.  Most 
of  the  results  are  not  actually  parking.  Answers  in  private  IP  space  are  used  to  en¬ 
code  various  kinds  of  non-location  data,  such  as  responses  to  lookups  on  DNSBLs, 
and  for  other  administrative  reasons  in  content  distribution  networks  and  hosting 
companies.  We  created  a  list  by  expert  human  analysis  to  remove  these  irrelevant 
domains  from  the  results.  Table  2  lists  the  second-level  domains  (SLDs)  that  were 
removed. 

The  process  so  far  yields  a  list  of  RRsets  with  rdata  in  private  IP  space  and 
rname  domains  that  do  not  have  a  known  use.  We  search  for  all  other  RRsets  with 
the  same  domains  in  the  rname  field.  Any  results  will  have  publicly  routeable  IP 
addresses,  and  thus  at  some  point  in  the  month  have  transitioned  between  private 
and  routable  IP  address  space.  We  consider  these  domains  to  have  exhibited  park¬ 
ing  behavior  on  private  IP  address  space. 
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abuseat.org 

ahbl.org 

anubisnetworks.com 

apews.org 

barracudacentral.org 

bl.rptn.ca 

blocklist.de 

bondedsender.org 

borderware.com 

ciphertrust.net 

clearswift.net 

cox.net 

dcrbl.com 

ddnsbl.internetdefensesystems.com 

device.trans.manage.esoft.com 

dns-rbl.at 

dnsbl.borderware.org 

dnsbl.inps.de 

dnsbl.it 

dnsbl.justspam.org 

dnsresearch.us 

dnswl.org 

drweb.com 

dsadns.net 

dscwl.net 

dsintll.net 

dsl.cantv.net 

e5.sk 

enemieslist.com 

eset.rs 

fl.dsmpd.net 

fl.dsusl.net 

habeas.com 

hexamail.com 


httpbl.org 

invaluement.com 

isipp.com 

ja.net 

jtripper.net 

junkemailhlter.com 

kaspersky-labs.com 

lic.bizanga.net 

lsu.edu 

mail-abuse.com 

mailshell.net 

mailspike.net 

mailspike.org 

manitu.net 

mcafee.com 

microsoft.com 

mooo.com 

mozilla.org 

msgsecurity.juniper.net 

nerd.dk 

nessus.org 

netvantasecurityportal.com 

njabl.org 

nszones.com 

pacanka.com 

qualcomm.com 

quorum.to 

rating.cloudmark.com 

rbl.esoft.com 

rbl.zvelo.com 

sa.skype.net 

sare.net 

sbl.dnsbl-sh.carnet.hr 


schpider.com 

senderscore.com 

sonicwall.com 

sophosxl.com 

sorbs.net 

spamcop.net 

spameatingmonkey.net 

spamhaus.net 

spamhaus.org 

spamrats.com 

spotilocal.com 

srfsrs.com 

support-intelligence.net 

surbl.org 

surfsrs.com 

surriel.com 

tornevall.org 

trendmicro.com 

truncate.gbudb.net 

trustedsource.org 

uceprotect.net 

ucla.edu 

ufl.edu 

uribl.com 

validatorsearch.verisignlabs.com 

vircom.com 

webcfsOO.com 

webcfs01.com 

webcfs02.com 

webcfs03.com 

wisc.edu 

wpbl.info 

zen.dnsbl-sh.carnet.hr 


Table  2:  Domains  that  were  removed  from  analysis 


For  each  domain  name  that  has  exhibited  parking  behavior,  we  can  generate 
a  course-grained  time  series  of  the  behavior  to  categorize  what  occurred.  Table  3 
demonstrates  some  sample  behavioral  groupings.  P  indicates  a  day  where  the  only 
rdata  was  in  private  IP  address  space,  G  indicates  a  day  where  the  only  rdata  was  in 
globally  routeable  IP  address  space,  and  X  indicates  a  day  where  both  address  types 
were  observed,  indicating  a  day  a  change  between  parking  and  active  occurred. 

Analysis  of  the  domains  found  to  exhibit  parking  mostly  included  simple  text 
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January: 

1-8 

9-16 

17-24 

25-31 

Activation  on  Jan  19 

PPPPPPPP 

PPPPPPPP 

PPXGGGGG 

GGGGGGG 

Deactivation  on  Jan  19 

GGGGGGGG 

GGGGGGGG 

GGXPPPPP 

PPPPPPP 

com.  alextringham 

GGGGGGGG 

GGGGGGGG 

GGGGXPPX 

PXPXPPP 

cn.proxyie 

GGXXXXXX 

GGGXGXGG 

GGPGGXGX 

XGGGXGX 

net.homeip.bnlv 

GGGGGPGG 

GGGGGGGG 

PGPPGGGG 

GGGGPGG 

Table  3:  Example  parking  behavior  patterns,  January  2014.  G  :  =  only  globally 
routable  IPs  observed  for  a  domain  on  a  given  day.  P  '.=  only  privately  reserved 
IPs  observed.  X  :=  both  observed  on  same  day. 


matching  on  lists  of  malicious  domains.  While  we  have  expressed  our  doubts  about 
the  soundness  of  evaluating  an  approach  by  comparing  it  to  black  lists  [11],  we 
have  mitigated  this  analysis  error  by  including  as  many  lists  as  possible  and  limiting 
our  assumptions  of  the  information  provided  by  this  comparison. 

Analysis  of  routable  IP  addresses  includes  geolocation  and  ASN  attribution 
information.  Geolocation  is  derived  from  the  public  MaxMind  GeoLite2  free  ge¬ 
olocation  data  from  January  28,  2014  [12].  ASN  attribution  is  derived  from  our 
publicly  available  IP-to-ASN  mapping  published  for  January  31,  2014, 1  itself  de¬ 
rived  from  the  Route  Views  [13]  and  RIPE  NCC  RIS  [14]  data.  The  baseline  map¬ 
ping  of  ASNs  across  all  IP  space  uses  our  open-source  SiLK  [15]  tools  for  prefix 
maps  and  IP  sets  [16]. 

3  Results 

We  applied  our  method  to  all  unique  domains  observed  in  our  passive  DNS  data 
source  for  the  month  of  January  2014.  This  data  set  contains  610  million  total 
unique  domains.  After  applying  our  method  described  above,  21,328  unique  do¬ 
mains  exhibit  parking,  or  0.0035%  of  the  total  unique  domains.  This  number  in¬ 
cludes  domains  that  should  not  publicly  resolve,  such  as  .local,  but  which  did  in 
fact  have  both  private  and  public  DNS  answers  during  the  period  of  observation. 

An  additional  34  domains  were  found  to  appeal-  to  exhibit  parking  behavior, 
however  all  34  domains  were  extremely  popular  domains  listed  in  the  Alexa  top 
100  at  the  time  [17].  We  did  not  count  these  popular  domains  in  the  21,328  that 
we  considered  to  exhibit  parking  behavior. 

In  order  for  some  assessment  of  known  maliciousness,  we  checked  these  do¬ 
mains  that  exhibited  IP  address  parking  on  private  address  space  against  16  domain- 
based  lists  of  malicious  domains.  1,563  domains  appeared  on  at  least  one  such  list 

'http: //routeviews- mirror . cert . org/pmap/20 14/01/20 140 131 . bgp .pmap 
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TLD 

Count 

%  of  Parking 

%  of  All  Domains 

com 

8594 

40.2831% 

65.7351% 

net 

2651 

12.4262% 

20.7651% 

org 

1045 

4.89828% 

1.9186% 

br 

842 

3.94675% 

0.2514% 

edu 

662 

3.10303% 

0.1268% 

tw 

660 

3.09365% 

0.0430% 

ru 

463 

2.17024% 

0.5156% 

cn 

441 

2.06712% 

0.0931% 

biz 

336 

1.57495% 

0.2265% 

cc 

282 

1.32183% 

0.2541% 

Table  4:  Top  10  TLDs  by  number  of  domains  exhibiting  IP -address  parking  on 
private  address  space 


between  January  1  and  February  28,  2014.  We  allowed  some  additional  time  be¬ 
yond  when  the  domains  exhibited  parking  in  order  to  allow  a  better  chance  the 
domain  would  be  discovered  by  a  list,  as  there  is  some  expected  lag  time  for  detec¬ 
tion. 

In  order  to  assess  some  features  of  the  network  connectivity  and  domain  struc¬ 
ture,  the  21,328  domains  can  be  broken  down  by  top-level  domain  (TLD)  and 
whether  the  domain  is  hosted  by  a  known  dynamic  DNS  provider.  Table  4  details 
the  breakdown  of  the  parking  domains  by  TLD.  We  compared  the  21,328  domains 
to  a  list  of  7 1  known  dynamic  DNS  providers  as  well:  353  domains  were  hosted  in 
this  way.  The  bulk  hosted  on  two  providers:  1 1 1  on  dyndns.org  and  191  on  some 
name  affiliated  with  no-ip.  These  arc  the  two  biggest  dynamic  DNS  providers  gen¬ 
erally. 

We  can  also  characterize  the  IP  addresses  used  to  host  the  domains  while  they 
were  routable.  41,170  unique  public  IP  addresses  were  used  as  the  routable  IP 
addresses  for  some  domain  that  exhibited  parking  (on  private  IP  addresses).  Each 
IP  address  had  an  average  of  1.38  domains  pointing  to  it,  though  there  is  clearly  a 
heavily  skewed  distribution,  as  displayed  in  Table  5.  We  can  also  characterize  these 
IP  addresses  by  their  geographic  location,  as  best  as  we  can  determine  it.  The  IP 
addresses  were  distributed  across  164  countries,  also  in  a  long-tail  distribution. 
Table  6  displays  the  10  most  common  locations. 

The  autonomous  system  number  (ASN)  of  the  public  IP  addresses  used,  ASNs 
that  announced  the  IP  addresses  were  examined  with  the  top  10  in  Table  7.  While 
the  ASN  counts  arc  more  evenly  distributed,  there  is  a  bias  of  some  kind  towards 
certain  ASNs.  The  selection  of  destination  IP  addresses  is  not  distributed  randomly 
across  ASNs,  some  networks  host  many  times  the  proportion  of  these  locations 
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#  of  domains 

#  of  IPs  with  X  domains 

X  =  1 

36765 

X  <  10 

4169 

X  <50 

188 

X  <  100 

20 

X  >  100 

28 

Table  5:  Distribution  of  domains  per  IP  address 


Country  Code 

#  of  IP  Addresses 

US 

17438 

RU 

3152 

UA 

2163 

CN 

1508 

DE 

1273 

BR 

907 

CA 

865 

GB 

809 

TW 

795 

NL 

734 

Table  6:  Top  10  countries  in  which  IP  addresses  of  domains  exhibiting  parking 
were  hosted,  as  geolocated  on  Jan  28,  2014 


than  is  explainable  purely  by  chance. 

4  Conclusions 

The  number  of  domains  exhibiting  parking  on  private  IP  addresses  is  quite  small. 
And  although  the  behavior  appeal's  to  be  distributed  in  ASNs  and  locations  non- 
randomly,  it  does  not  appeal'  to  be  a  consistent  indicator  of  malicious  activity.  The 
process  for  finding  domains  genuinely  exhibiting  parking  is  somewhat  tedious, 
with  a  fair  amount  of  manual  review  and  whitelisting  of  domains  for  non-location 
uses  that  confuse  the  results.  The  process  also  requires  a  relatively  long  observa¬ 
tion  window,  as  the  observation  must  allow  enough  time  for  the  domain  to  change 
rdata.  These  two  features  impose  a  relatively  high  cost  on  finding  parking  do¬ 
mains,  while  there  are  not  clear  benefits  to  discovering  them.  The  domains  do  not 
have  a  clear  malicious  intent,  there  are  not  many  of  them,  and  the  domains  are  gen¬ 
eral  uninteresting  by  our  prima  facie  expert  analysis.  This  particular  kind  of  parking 
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ASN 

Count 

%  of  parking  IPs 

%  of  Internet  assigned  to  ASN 

AS 6079 

1574 

3.82317% 

0.02171% 

Unknown 

881 

2.13991% 

37.63242% 

AS6517 

834 

2.02575% 

0.00833% 

AS22773 

799 

1.94073% 

0.27731% 

AS5739 

732 

1.77799% 

0.00305% 

AS  8075 

629 

1.52781% 

0.03512% 

AS4134 

601 

1.45980% 

2.52874% 

AS  15003 

585 

1.42094% 

0.04291% 

AS3462 

525 

1.27520% 

0.28541% 

AS46606 

519 

1.26063% 

0.01507% 

Table  7:  Top  10  ASNs  announcing  routable  IP  addresses  used  by  domains  that 


exhibit  parking.  ASN  mappings  are  as  of  January  15,  2014. 


behavior  does  not  appeal-  to  be  useful  to  detect.  The  malicious  behavior  detected 
in  this  way  would  very  likely  be  easier  to  detect  by  existing  methods. 

It  is  possible  that  the  domains  exhibiting  this  kind  of  parking  are  actually  ma¬ 
licious,  but  simply  are  not  found  by  any  other  method  that  would  have  them  end 
up  on  the  black  lists  we  compare  against.  As  lists  of  malicious  behavior  are  mostly 
idiosyncratic  [11],  this  is  not  entirely  unlikely.  We  have  made  the  complete  list  of 
domains  available2  in  case  another  analysis  can  determine  if  they  are,  in  fact,  inter¬ 
esting.  If  so,  we  would  welcome  being  proven  wrong  about  their  uninterestingness. 
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